Oops! - is a proxy server, the main aims of its development being stable operation, service speed, main protocols support, modularity, ease at use. A security vulnerability has been found in the way the server handles HTML requests.
Credit:
The information has been provided by Cyrax.
As you can see tempbuf allocates strlen(line)*3. The author thought that the HTMLizing of the line would give just a string 3 times bigger than the line. But if you look at html_escaping code you see that the author translates " into ". So putting a large amount of " in the HTML line allows us to overflow tempbuf.
Solution:
Either upgrade to version Oops! proxy 1.5.0, or apply the following changes:
Changing the allocation line into:
But you can save more memory allocating tempbuf after the html_escaping.
Exploit:
As demonstrated by the traceroute and slocate exploits, it's possible to overwrite a function pointer modifying a malloc chunk. And in this case, after the tempbuf buffer, there is the chunk of htmlized_something. So the exploit have to overwrite it, set the size to 0xffffffff to make it a free chunk, put the address of the shellcode into fd and the address of the target function pointer into bd (-8), and when the free() will call the unlink it will put the shellcode address into __free_hook. The problem of the exploit is that we must compute exactly the length of tempbuf and hope that malloc will not give it a bigger length, overwrite perfectly the chunk, know exactly the address of __free_hook and the address of the shellcode.
As you can see, the bigger problem is the shellcode. We can't simply put a (not too) large amount of NOP, cause the unlink will fill the zone near the one pointed by __free_hook with the address of it. (So, some illegal instructions) and the shellcode have to jump them. If instead you point to a NOP the other NOPs after that will be overwritten by the unlink() and will result in SIGILL.
So, even though this is very hard to exploit, it is still possible.
--- PKCoops-ex.c ---
/* Dimostrative Exploit Against Oops Proxy Server v 1.4.22 and prior
* Coded by |CyRaX| <cyrax@pkcrew.org>
* Packet Knights Crew : www.pkcrew.org
* Tested on Slackware 7.0
*
* Greetz : all the bros of pkc, expecially recidjvo,asynchro & cthulhu
* LordFelix & bikappa : for some hints about heap overflow
* BlackBerry , Nobody88, sMAV, Mav, Mr^Moon and all the others
*/
if(argc<4){
printf("Proof exploit against oops proxy server heap buffer overflow!\n");
printf("by |CyRaX| <cyrax@pkcrew.org>\n");
printf("Member Of Packet Knights Crew - http://www.pkcrew.org\n");
printf("Usage ./oopsexp <your_ip> <victim ip> <hostname len>\n");
printf("your ip: it is necessary for the passive mode\n");
printf("hostname len is the len of the host that he *thinks* to have\n");
printf(" for example if the hostname is c500 you must put 4 here\n");
exit(0);
}
printf("now set the victim as your proxy in any web browser and go to\n");
printf("ftp://<your_ip>\n");
